Microchip Time Provider 4100 Hard-Coded Credentials Vulnerability Allowing Malicious Software Updates
Vulnerability
A vulnerability exists in the Microchip Time Provider 4100 GNSS GrandMaster, all versions prior to 2.5.0, due to hard-coded upgrade decryption passwords. This vulnerability allows for malicious manual software updates by extracting passwords used to decrypt the configuration file and filesystem packet. Exploitation requires access to the unit and the ability to extract the root password, which is a complex and costly endeavor.
Impact
Exploitation of this vulnerability could lead to unauthorized manipulation of the device's software, potentially allowing for malicious configurations or actions to be executed by the device.
Remediation
Customers are strongly advised to upgrade to the latest firmware version, once available. Upgrades can be performed through a separate management port that should not be connected to an untrusted network. Access Control Lists (ACLs) can be used to further restrict access to trusted addresses.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.